[olug] ssh vulnerability anounced today.

Daniel G. Linder dlinder at iprevolution.net
Tue Sep 16 19:12:55 UTC 2003


Brian Roberson [mailto:roberson at olug.org] wrote:
> http://www.openssh.org/
> http://www.openssh.com/txt/buffer.adv

You can download the latest version from the OpenSSH site:
http://www.openssh.com/portable.html.  In my case, the RH 9.0 RPMs are
available here. 

In my case, I was able to download all the new 3.7 binaries, do an "sudo
rpm -Uvh" to upgrade/install them, and then do a "sudo /etc/init.d/sshd
restart" to stop the old 3.5 sshd binary and restart.  Now when I telnet
to port 22, I am greeted with the following:
$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.7p1
^]
telnet> quit
Connection closed.

Note the line "SSH-1.99-OpenSSH_3.7p1".  From what I understand, the
3.7p1 was released today and is not vulnerable to this bug.

I am making these available on my FTP server: ftp.linder.org in
/pub/ssh3.7p1

Dan

P.S. For anyone running debian stable, I believe the commands are (as
root):
  apt-get update
  apt-get upgrade




More information about the OLUG mailing list